This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 68%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELC%3C/text%3E%3C/svg%3E)
I have a GPO to deny interactive logon linked to Servers OU. In the policy, I'm denying interactive logon to an AD Group called "Deny interactive logon" (I know creative).
This policy IS NOT linked to the Domain Controllers OU.
Yet when I put a domain admin in this group, the policy applies and the domain admin CANNOT RDP to the DC.
Troubleshooting steps
Look at all GP's linked to the Domain Controllers container and none has Deny Interactive Login Setting
Ran a GPO modeling with the DA account and the DC ...exported the report html and search for anything "DENY" and nothing exists in the report with that word
I'm at a lost here why this is being applied to domain controllers when the GP is NOT linked to the domain controller container.
Help please!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,
When " the domain admin CANNOT RDP to the DC", what's the error message?
Was the domain admin a member of the administrators group?
Run the cmd on the DC and enter the command as administrator : gpresult /h c:\report.html
If possible , please share a screenshot here!
Then check the default domain controller policy ,under the Allow log on through Remote Desktop Services :if the domain admin was added.
By default, only administrators can rdp to the DCs.
Best Regards,
Here is the error message... typical deny interactive login
yes the default domain controller policy has allow log on thru remote desktop services with BUILD\Administrator. But for some reason the GPO from the servers OU (a different OU ...not DC OU) is being applied to the DC's.
I can't run gpresult /h because I can't log in! haha
If I take my self out of the group that the policy is being applied to then I can log in with no issues.
I'm completely stumped! I checked all the GPO's that trickle down to the domain controllers OU to see if there is ANYTHING remotely to deny RDP ... nada!
The only deny RDP is in a GPO linked to servers OU. crazy
Hi,
"I put a domain admin in this group", what's the account you used? Was it the built-in administrator account or users you created? Is it in the built-in administrators group?
Can you check the settings from the local group policy:
If possible, you can share a screenshot here!
Best Regards,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 51%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECL%3C/text%3E%3C/svg%3E)
II'm very sorry for late response.
Turns out that when we go on the DC it self and run GPEDIT.MSC we found the group was MANUALLY configured here to deny interactive login...and thats why it was failing eventhough there was NO GPO being applied.... someone ran some hardening script when the DC was built. Ughhh thanks so much everyone!
Glad to hear you find the cause!
You can accept your answer as answer to help more people.
Best Regards,